What is App Notarization on a Mac?

Apple already has a system called Gatekeeper that tries to prevent Mac users from installing malicious software on their machines by checking for an Apple-issued Developer ID certificate that’s included within the app.

To make it possible for third-party applications distributed outside of the Mac App Store to run on Macs without disabling Gatekeeper security, Apple added Developer ID to OS X Mountain Lion. This enabled registered developers to identify themselves and their apps.

The problem was that Developer ID certificates could also be attached to malware (see OS X/Dok below).

Under this system, third party developers who want to sell their apps outside Apple’s Mac App Store can submit their software to Apple for notarization. Apple’s Notary Service will then automatically perform security checks on the software to ensure the installations are malware-free, signed correctly and that they use the appropriate runtime.

Software signed with a Developer ID certificate can also take advantage of advanced capabilities such as CloudKit and Apple Push Notifications.

Apple’s Developer note

What Apple says

“Make sure to sign any apps, plug-ins, or installer packages that you distribute to let Gatekeeper know they’re safe to install. And now, you can give users even more confidence in your apps running on macOS Mojave by submitting them to Apple to be notarized,” Apple explains.

Why should I care?

Apple platform security is not fixed in stone and attempts to subvert it are evolving rapidly.

One thing that some people try is to convince customers to download software that is actually useful, but which also installs malware, keyloggers, or other malicious codes. Not every attack is aimed at a user’s Mac, in some cases more complex attacks see criminals subvert one person’s system in order to more easily penetrate another person’s.

One way to protect against such incidents is to ensure that apps that are installed and run on a user’s Macs are safe to use.

App Notarization is a step further than Gatekeeper, in that while Gatekeeper can alert users to potential risk, Notarization provides extra confidence that Apple has examined the app.

Apple has also worked to make the whole process almost transparent to the customer – we don’t really know all this work is going on to protect our Mac experience.

Apple explains:

“A notarized app is a macOS app that was uploaded to Apple for processing before it was distributed. When you export a notarized app from Xcode, it code signs the app with a Developer ID certificate and staples a ticket from Apple to the app. The ticket confirms that you previously uploaded the app to Apple.”

Millions of Mac users don’t want to become security experts, which is Apple has to be.

How do I know?

When you first try to open a Mac that has been downloaded from a source outside the Mac App Store you will see a warning message, which reads:

“[Application name] is an application downloaded from the Internet. Are you sure you want to open it?”

When the app has not been notarized, you’ll see choices including Cancel, visit the website of the app developer, or open the app.

A notarized app also flags a warning message, but through a more streamlined interface with Cancel and Open buttons instead.

When you install an application from a trusted source you should be fine. If you are installing software from an unknown or dogy-seeming source you should double check its security status first, and definitely run a malware checker once it is installed (even though that is by no means always going to find a threat — the best protect is not to install bad software).

What happens next?

“In an upcoming release of macOS,” Apple says, “Gatekeeper will require Developer ID signed software to be notarized by Apple.”

This will make it much harder for rogue developers to slip malware into your Mac, and also means Mac users can feel a little more secure when installing software from outside the Mac App Store.

Products from Amazon.com

Why is Apple doing this?

Apple recognizes that the threat landscape is becoming far more complex.

Phishing and malware injection attempts rely on creating and abusing user trust, with humans still the weakest link in the chain. As we become more tuned into digital communications, we are becoming increasingly less likely to click on links in spam emails, prompting attackers to look for other ways to undermine system security.

One way to achieve this is to provide what seem to be useful and benign apps that also carry malware – these are hard to spot because you get to do what the app promises it will do, but you as a user are left in the dark when the malware also quietly undermines system security.

This kind of app spoofing is a growing problem on mobile platforms, but with Apple working to boost application development across Mac and iOS, it is already taking steps to protect its computer systems from similar forms of attack.

Think about OS X/Dok

It is likely Apple is also taking these steps as a response to 2017’s OSX/Dok malware attack, which tried to bypass Gatekeeper by shipping with numerous Developer ID’s to fool the system. (There’s a good explanation of what this was up to here).

App Notarization should make it much harder for such exploits because Mac users will be much more aware that when they install an app that isn’t notarized then they are running a risk of installing unsafe software. At the end of the day, most legitimate developers will provide both a Developer ID and make the effort to notarize their app. If they don’t, then perhaps there’s another application that does.

The battle for application and platform security is unending, of course, and that’s why anyone using any device on any platform should never become complacent about security – and should also avoid use of any app or platform with a poor record in software patches, update distribution or timely security response.

More information

This is the best report explaining the technology behind App Notarization from a developer’s point of view that I’ve come across: Eclecticlight.

Apple’s plan to transform the world of credit cards in the image of Apple Card seems to have progressed further than anyone might have thought, thanks to a top-secret project with Mastercard...Innovate everything The news is that Apple, Goldman Sachs and Mastercard have been quietly working together to make similar technologies available for use by […]

Dolly Parton described love as “like a butterfly,” but that isn’t precisely the emotion Mac users have reported on use of the butterfly keyboard design Apple puts inside its notebooks.When keys take wing These keyboards have attracted much criticism since they were introduced, so much so that Apple has attempted to redesign them twice and […]

Apple has never quite managed to create a social network that works, but it seems to have a better chance than ever right now.All the ingredients are there The company has all the ingredients: A platform, loyal customers, and a growing range of media services that would benefit from the kind of pester power social […]

Recent speculation claims Apple may terminate support for some older iPhone models— including the popular iPhone SE — when it introduces iOS 13.We won’t know if this is true until WWDC, but it simply reflects consumer sentiment.People are moving on The smartphone industry is declining as consumers try to get more use out of their […]

Apple’s devices are far better defended against malware and viruses than other platforms, but does that mean they don’t need anti-virus software?No, yes, and maybe I’ve lost track of the number of times Mac users have told me Macs don’t need virus protection because the machines are inherently more robust against such attacks.I’ve also lost […]

While Apple CEO Tim Cook doesn’t think a four-year degree is necessary to be a proficient coder, he’s still prepared to invest in the nurturing next-generation engineering talent. And today Apple opened up the application process for new students to join its Developer Academy in Naples, Italy.The Naples connection The Apple Developer Academy at the […]

Hackers have used a security bug inside WhatsApp to install spyware through an infected WhatsApp voice call, and Apple users are affected.What WhatsApp users need to do If you are one of the 1.5 billion people who use WhatsApp, you should immediately update both your app and your iOS software to the latest version.The app update includes […]

You can throw all the money and technology you want at digital transformation, but if your end users are uncomfortable with your brand-new solutions, they will simply stop using them.Put the customer first Those are just some of the thoughts shared with me by Sam Johnson, chief customer officer at Jamf, following that company’s move […]

Apple may dramatically reduce the number of supported older iPhone models when it introduces iOS 13, a the latest rumor claims, but it isn’t yet clear on what consistent basis this decision may (or may not) be made.Closing the stable door Apple really did the right thing when it extended backward compatibility in iOS 12, […]

Why is privacy a luxury? Possibly because surveillance capitalist firms have subsidized product prices by collecting and trading in the personal data of the people that use their products, enabling them to sell hardware cheap.The consequences of convenience The crux of Google CEO Sundar Pichai’s argument against firms such as (obviously including but never named) […]